Skip to content

Project maintainer can escalate to Project owner using project access token rotate API

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2058934 by ashish_r_padelkar on 2023-07-09, assigned to @nmalcolm:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

Project Access tokens can be created at https://gitlab.com/<NameSpace>/<ProjectName>/-/settings/access_tokens. Project owner can create project access token with OWNER role where as Project maintainer can create upto Maintainer role only.

Also, once PAT (Project access token) is created, its visible only while creating . If project owner creates PAT with OWNER role, maintainer wont be able to see the token so they can not use the token of owner scope which works correctly.

However, using rotate API of the PAT, maintainer can see generate the new token which will have owner role as token was by project owner previously.

Steps to reproduce

1.Login as a project Owner and go to https://gitlab.com/<NameSpace>/<ProjectName>/-/settings/access_tokens.

2.Create a new token with Owner role and API scope.
Screen_Shot_2023-07-10_at_12.31.42_AM.png

3.Now login as maintainer of the same project and go to https://gitlab.com/<NameSpace>/<ProjectName>/-/settings/access_tokens. You see that project owner has created a PAT but you can just see the name of the token , its role and scope but cant see the token itself.This means you cant use the token that has higher scope than your role which is working correctly and as expected.

4.Now create your personal access token here https://gitlab.com/-/profile/personal_access_tokens with API scope.

5.Visit https://gitlab.com/api/v4/projects/<ID>/access_tokens/ and note the ID of the PAT created by project owner.

6.Now replace these values in below curl request.

curl --request POST --header "PRIVATE-TOKEN: glpat-YourpersonalToken" "https://gitlab.com/api/v4/projects/<ProjectID>/access_tokens/<PAT_ID>/rotate"

7.You see that you rotated the Project access token created by project owner and you see the value of new token in response with ROLE as 50 which means project owner.This means you can use this new token with project Owner role as project maintainer and escalate your privileges.

What is the current bug behavior?

Maintainers can use PAT rotate API to generate new token which may have owner role and escalate their privileges.

What is the expected correct behavior?

If PAT has owner role then only project owners should be able to rotate the PAT.

Output of checks

This bug happens on GitLab.com GitLab Enterprise Edition 16.2.0-pre e124cf77951

Regards,
Ashish

Impact

Project maintainer can escalate to Project owner using project access token rotate API.

Project Owner has more capabilities then Maintainers , hence confidentiality and integrity rated as high in CVSS

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Proposal

See #418878 (comment 1475837442) for the desired behaviour for PrAT/GrAT and service account rotation behaviour

Edited by Adil Farrukh